Feb 162022
 

I have a friend of mine, a small business owner, who manages his own linux server.  Its a simple web server using plain jane html … and he loves to manage the server himself.  Except, when he gets locked out because his home ip is dynamic and he is using lfd/csf as a security layer.  He calls me, we chat, the chats always end up with something like “hey, can you reset my ip when you get time” and i love talking to him … he is a great friend, but third time is a charm … meaning, I love helping friends out but if I have to fix the same problem more than once, I am likely going to find a more permanent solution.  And this is what I came up with ….

First, one of the things we did is we created a fake dns name (I would suggest to not make this obvious).  The script will use this fake dns name to compare to the current value in the “allowed ips” file.  The dns name points to his home ip address.  The theory is, if you get locked out of your server, you can update your ip address (since he also controls dns for his server), and within “how ever many minutes until the next cron runs” you will automagically be unblocked.  Pretty nifty, huh?  The only thing it really requires is on redhat/centos type servers you need to install bind-utils which includes the dig command.  His server didn’t have it installed so I am mentioning that in case yours doesn’t either.

Before you attempt to use this script, first, go to http://www.edwiget.name/ip.php and get your current ip address (no ads, I farking hate ads so much I created this url specifically to get my ip)

Second, write that ip down

Third, go to your dns management console or gui or provider or whatever you have and create some fake sub domain with that ip.  Lets say your domain is abcd.com and your subdomain would be something like blahblahblah.abcd.com with an A record pointing to the IP you wrote down.

Forth, copy this script to /usr/local/bin/whateveryouwanttocallit.sh on the server that has lfd/csf installed

Fifth, chmod +x /usr/local/bin/whateveryouwanttocallit.sh

Sixth, make sure your default allow list is at /etc/csf/csf.allow

Seventh, edit the script and replace insert_your_dns_name_here with whatever dns name you created in step 3 above.

Eighth, create a cron job to run the script however often you are ok with being locked out, i.e. I will give an example below for 1 hour

The script:

#!/bin/bash
 
# This script updates the management ip for csf so you don't get locked out
 
# enable debugging
# set -x
 
# insert your dns name here ... duh
HIP=`dig insert_your_dns_name_here +short`
 
# default location of the lfd/csf allow file, 1 ip per line
UFILE="/etc/csf/csf.allow"
 
# a loop to make sure our reload worked
reload_success() {
	while [ "$finished" != "true" ]; do
        	if [ "`iptables -L -n | grep ${HIP} | head -1 | wc -l`" = "1" ]; then
                	echo "reloading service successful"
			finished=true
		else
			echo "try again"
                	reload_lfd
			finished=false
		fi
	done
}
 
# reloading the service
reload_lfd() {
	systemctl restart lfd.service
}
 
# here we check if the ip in dig matches the allow list
if [ "`grep -c -i ${HIP} /etc/csf/csf.allow | awk '{print$1}'`" = "1" ]; then
	echo "updating csf not required" | logger
else
	echo "updating csf to ${HIP}" | logger -t EDS-SECURITY
	echo ${HIP} >> ${UFILE}
	# reload process
	reload_lfd
	reload_success
fi

To set this up as a cronjob, for the root account run crontab -e and insert the lines below

0 * * * * /usr/local/bin/whateveryoucalledthescript.sh > /dev/null

This site uses Akismet to reduce spam. Learn how your comment data is processed.